Where should a beginner start in cyber security?

With fundamentals, not tools. Start by understanding how systems and networks work — IP addresses, ports, TCP/IP, DNS, protocols — plus operating-system basics (Windows and Linux). Without this foundation, advanced security concepts and tools won’t make sense. The biggest beginner mistake is jumping straight into hacking tools.

How long does the cyber security roadmap take?

Honestly, for a complete beginner studying consistently, around 12–18 months to become job-ready for an entry-level role — and roughly 6–12 months if you already have an IT, networking or programming background. It depends heavily on your starting point, daily study time and how much hands-on practice you do. There’s no genuine 30-day shortcut.

What are the stages of the cyber security roadmap?

Six broad stages: (1) IT, networking and OS fundamentals; (2) Linux and the command line; (3) security principles and threats; (4) hands-on labs in a safe home lab; (5) choosing a path (defensive vs offensive); and (6) certifications (Security+, CEH, later OSCP) alongside a portfolio. Each stage builds on the previous one.

Do I need a degree to follow this roadmap?

No — there’s no degree requirement. Many people enter cyber security through self-study, hands-on practice, certifications and a demonstrable portfolio. Employers in this field increasingly weigh proven practical skill over formal qualifications. A degree can help, but it isn’t necessary to follow this roadmap.

Can I follow this roadmap as a complete beginner?

Yes — it’s designed for that. You start from the very fundamentals (networking, operating systems, Linux) and build up step by step. No prior security experience is needed; consistency and hands-on practice matter most. Going in order is what makes an overwhelming field manageable.

Can I follow the roadmap while working or studying?

Yes — most people do, studying part-time (an hour or two a day). That stretches the timeline (toward the 12–18-month end for beginners), but it’s entirely doable with consistency. The roadmap is about order and steady progress, not full-time study.

What IT fundamentals do I need first?

How operating systems manage files, users and permissions (Windows and Linux); the basics of how computers and networks communicate; and core protocols. This groundwork is what makes later security concepts — firewalls, encryption, intrusion detection — actually understandable rather than memorised.

Why do I need networking knowledge?

Because networking is the backbone of cyber security — almost everything in security involves traffic moving across networks. Understanding IP addressing, ports, TCP/IP, DNS, routing and packets lets you reason about how attacks happen and how to defend against them. Skip it, and the rest won’t make sense.

How much networking should I learn?

Roughly CCNA-level fundamentals — enough to confidently understand IP, subnetting basics, ports, common protocols, DNS and how packets flow. You don’t need to be a network engineer, but a solid grasp of these is essential before security tooling. Free resources (e.g. Professor Messer’s Network+) cover this well.

Why is Linux important in cyber security?

Because a huge amount of security work — tools, servers, labs — runs on Linux. Comfort with the Linux command line, file system, permissions and packages is essential. You don’t need to be a sysadmin, but you should be fluent enough to work confidently in a terminal.

How do I learn Linux for cyber security?

Install a Linux distribution (or Kali Linux in a VM) and use it — practise the command line, file navigation, permissions and basic scripting. Free resources and interactive sites (like OverTheWire’s games) teach it hands-on. The key is doing, not just reading; spend real time in the terminal.

What security principles should I learn?

Core concepts: the CIA triad (confidentiality, integrity, availability), common attack types and how defences work, cryptography basics, and security frameworks (such as NIST, ISO 27001, CIS, MITRE ATT&CK). Studying a CompTIA Security+ curriculum is a well-structured way to cover these foundations.

What is the CIA triad?

The CIA triad — Confidentiality, Integrity and Availability — is the foundational model of information security. Confidentiality keeps data private, integrity keeps it accurate and untampered, and availability keeps it accessible to authorised users. Most security controls map to protecting one or more of these three.

Why learn fundamentals before tools?

Because tools come and go, but fundamentals last. If you learn a tool without understanding the networking or security concept behind it, you can run commands but not reason about problems — and you’re stuck when the tool changes. Fundamentals make every tool easier to learn and outlive any single technology.

Why do I need a home lab or hands-on practice?

Because reading about security and doing security are very different. A home lab (virtual machines, intentionally vulnerable systems) and practice platforms let you apply concepts safely and build real, demonstrable skill — which is exactly what employers hire on. Hands-on practice also builds confidence far faster than theory alone.

How do I set up a home lab safely and legally?

Use virtual machines on your own computer — for example, a Kali Linux VM plus intentionally vulnerable targets like DVWA or Metasploitable — so everything stays isolated on systems you own. This lets you practise attacks and defences legally, without ever touching systems you’re not authorised to test.

What platforms can I practise on legally?

Purpose-built, authorized platforms such as TryHackMe, Hack The Box, PortSwigger’s Web Security Academy and OverTheWire — all designed for safe, legal learning — plus your own home-lab VMs. Capture-the-flag (CTF) challenges are great practice too. Only ever practise where you’re explicitly permitted.

Is it legal to practise hacking at home?

Yes — when you practise on systems you own (your own VMs and intentionally vulnerable machines) or on platforms that explicitly invite it (TryHackMe, Hack The Box, authorized CTFs). It is illegal to test systems you don’t own or aren’t authorized to test. Keep all practice inside authorized environments.

How important is hands-on practice?

Critical — it’s the difference between knowing about security and being able to do it. Employers hire on demonstrable, hands-on skill, and certifications like OSCP test it directly. Consistent lab practice, CTFs and documented write-ups are what build real ability and a portfolio that gets you hired.

Should I go defensive or offensive in cyber security?

Either is valid — it depends on what you enjoy. Defensive (blue team — SOC, monitoring, incident response) has the most entry-level roles and is the common way in. Offensive (red team — authorized penetration testing) is exciting but has fewer junior roles and usually needs more hands-on proof. Understanding both helps; specialise in the one that interests you.

What is the defensive (blue team) path?

The defensive side focuses on protecting systems — monitoring for threats, detecting and responding to incidents (in a SOC), analysing logs, and forensics. It’s the largest hiring area, and SOC Analyst (Tier 1) is the most common entry role. It can involve shift work early on but offers a clear, in-demand career path.

What is the offensive (red team) path?

The offensive side is authorized attacking — penetration testing and ethical hacking done with permission to find weaknesses so they can be fixed. It’s technically deep and well-regarded, but junior roles are rarer and harder to land, usually requiring strong hands-on skills, a portfolio and often a certification like OSCP. Many offensive professionals start in IT or defensive roles.

Which path is more in demand?

Defensive/SOC roles make up the largest share of cyber hiring, so they’re the most accessible entry point. Offensive (pen-test) roles are fewer and more competitive at junior level. Cloud security is growing fast across both. For most beginners, a defensive entry role is the realistic first step, with specialisation later.

Which path pays more?

At senior levels, specialised offensive roles (penetration testing, red team) often pay a premium over equivalent defensive roles, but offensive junior roles are scarce. Defensive roles offer steadier, more available entry. Pay depends more on skill, specialisation, certifications and experience than on the path label alone.

Can I switch paths later?

Yes — easily. The fundamentals (networking, Linux, security principles) underpin every path, so you can start defensive and move offensive (or into cloud or GRC) later as your interests and skills develop. Many professionals move between areas across their careers; nothing locks you in.

Which certification should be on my roadmap first?

CompTIA Security+ is the usual first — a vendor-neutral foundation that’s widely recognised and the cheapest of the common certs. After it, CEH suits an ethical-hacking direction, and OSCP comes later for advanced penetration testing. Even if you don’t sit Security+ immediately, studying its curriculum is an excellent way to learn the fundamentals.

When should I get Security+?

Typically after you’ve built networking, Linux and security fundamentals — often a few months in. Its curriculum doubles as a great structured way to learn those fundamentals, so many people study it early even if they sit the exam a bit later. It’s a strong, affordable first certification.

When should I get CEH?

After the foundations and some hands-on practice, if you’re heading toward an ethical-hacking or pen-test direction. CEH is widely recognised by Indian employers (especially services, BFSI and government) as an entry credential. It’s issued by EC-Council and is premium-priced, so weigh it against your goals and budget.

When should I get OSCP?

Later — OSCP is an advanced, hands-on certification (a demanding 24-hour practical exam from Offensive Security), usually pursued after one to three years of experience and a lot of lab practice. It’s a longer-term goal on the roadmap, not an early step. Build the foundations and experience first.

Do I need certifications to get a job?

They help, but they’re not strictly mandatory — and skills matter more than certificates. Many people land entry roles on demonstrable hands-on ability and a portfolio, with a certification (often Security+) strengthening the application. The best outcome combines a relevant cert with genuine, provable skill.

Who issues these certifications?

Their respective bodies — CompTIA (Security+), EC-Council (CEH), Offensive Security (OSCP) — not training institutes. A course or self-study prepares you; you take the exam through the certifying body. Be wary of any institute claiming to ‘provide’ or ‘guarantee’ one of these certificates.

How many certifications do I need?

Fewer than you might think — one solid foundation cert (like Security+) is plenty to start, with others added as your path and roles require. Stacking certificates without hands-on skill doesn’t impress employers. Prioritise demonstrable ability and a portfolio; add certifications strategically, not for their own sake.

How long until I’m job-ready?

For a beginner studying consistently, realistically 12–18 months to be ready for entry roles; 6–12 months with an existing IT/coding background. ‘Job-ready’ means solid fundamentals, hands-on lab skills, a portfolio and ideally a foundational certification. Consistency and real practice are what move you along faster.

Can I become a cyber security professional in 3 months?

Realistically, no — three months is enough to build solid foundations and start practising, but not to become job-ready from scratch. Be sceptical of any course promising to make you a ‘hacker’ or job-ready in weeks. Genuine readiness takes months of consistent learning and hands-on practice; there’s no real shortcut.

Is there a shortcut or fast track?

Not a genuine one. You can move faster with an existing IT background, full-time study, and lots of hands-on practice — but you can’t skip the fundamentals or the lab time. “Become a hacker in 30 days” claims are marketing, not reality. The honest fast track is consistent, structured effort and real practice.

How long does each stage take?

Roughly: foundations (networking, Linux, OS, security principles) about 3–5 months; hands-on practice and choosing a specialisation about 3–4 months; first certification, portfolio and job applications about 2–4 months — overlapping, and faster with prior experience. Treat these as honest estimates, not promises.

How long to get my first job?

Most beginners reach the point of applying for entry roles within about 12–18 months, then the job search itself can take weeks to a few months depending on skills, portfolio, location and market. Applying once you have solid foundations (rather than waiting to feel ‘fully ready’) tends to work better.

Do I need coding on the cyber security roadmap?

Not to start, but it helps and grows in importance. Basic scripting — especially Python (and Bash) — lets you automate tasks, parse logs and understand exploits, and it’s increasingly important for offensive and specialised roles. You don’t need to be a full-time programmer; just get comfortable writing useful scripts.

How much programming do I need?

Enough to read and write simple, useful scripts — Python is the standard. You should be able to automate small tasks (like scanning ports or parsing logs) and follow code well enough to understand how vulnerabilities and exploits work. Deeper programming matters more for specialised offensive and tooling roles.

How does AI fit into the roadmap?

AI is increasingly used in security — to analyse logs, detect anomalies and speed up tasks — and as a learning aid. Treat it as an assistant that accelerates work and study, not a replacement for fundamentals or judgement. Knowing how to use AI well (and how to secure AI systems) is a growing, valuable skill on a modern roadmap.

Do I need a course to follow this roadmap?

No — you can follow it with free resources (Professor Messer, TryHackMe, Cybrary, OWASP) and self-discipline, and many people do. A structured course helps if you want a guided path, live teaching, real labs, doubt-solving, certification prep and accountability — which can be faster and less confusing than self-teaching. Choose based on how you learn best.

How does a course fit into the roadmap?

A good course compresses the early stages — giving you structured fundamentals, guided hands-on labs, a clear path through specialisation, and certification preparation — so you spend less time figuring out what to learn next. It doesn’t remove the need for practice, but it provides the structure, feedback and labs that self-learners often lack.

Does Course Unbox follow this roadmap?

Yes — Course Unbox’s Cyber Security programme broadly follows this path: foundations (networking, Linux, Python), security principles, hands-on labs, both defensive and offensive exposure, certification prep (Security+/CEH) and a portfolio plus internship — taught live by a practitioner (Bhavyam Verma), online or in Noida, from ₹35,000 (EMI). A free demo lets you see how it maps to the roadmap.

Pick up Stage 1 today — begin with networking and OS fundamentals using free resources, set up a home lab, and practise consistently. If you’d prefer a structured, guided route, explore Course Unbox’s programme or book a free demo (call/WhatsApp +91-8923660886). Whichever way, the order on this page stays the same: fundamentals first, then tools, then specialise.

Where should a beginner start in cyber security?

With fundamentals, not tools. Start by understanding how systems and networks work — IP addresses, ports, TCP/IP, DNS, protocols — plus operating-system basics (Windows and Linux). Without this foundation, advanced security concepts and tools won’t make sense. The biggest beginner mistake is jumping straight into hacking tools.

How long does the cyber security roadmap take?

Honestly, for a complete beginner studying consistently, around 12–18 months to become job-ready for an entry-level role — and roughly 6–12 months if you already have an IT, networking or programming background. It depends heavily on your starting point, daily study time and how much hands-on practice you do. There’s no genuine 30-day shortcut.

What are the stages of the cyber security roadmap?

Six broad stages: (1) IT, networking and OS fundamentals; (2) Linux and the command line; (3) security principles and threats; (4) hands-on labs in a safe home lab; (5) choosing a path (defensive vs offensive); and (6) certifications (Security+, CEH, later OSCP) alongside a portfolio. Each stage builds on the previous one.

Do I need a degree to follow this roadmap?

No — there’s no degree requirement. Many people enter cyber security through self-study, hands-on practice, certifications and a demonstrable portfolio. Employers in this field increasingly weigh proven practical skill over formal qualifications. A degree can help, but it isn’t necessary to follow this roadmap.

Can I follow this roadmap as a complete beginner?

Yes — it’s designed for that. You start from the very fundamentals (networking, operating systems, Linux) and build up step by step. No prior security experience is needed; consistency and hands-on practice matter most. Going in order is what makes an overwhelming field manageable.

Cyber Security Roadmap 2026 (Step by Step) | Course Unbox

Loading course…

Just a moment while we get the details.

Any query?

Program Overview

Cybersecurity Course

Check out our modules, batch schedules, syllabus brochures and certification options.

View course details

Table of Contents

What cyber security is

Learn in order: IT and networking fundamentals, operating systems and Linux, security principles and common threats, then practise in hands-on labs, choose a defensive or offensive direction, and layer on certifications like Security+, CEH or OSCP. Build fundamentals before tools — they outlast any single technology.

Cyber security is the practice of protecting systems, networks and data from digital attacks. It’s a broad field — from defensive monitoring to authorized offensive testing to compliance — which can feel overwhelming at the start. The good news is that there’s a sensible order to learn it in, and following that order is what turns an intimidating subject into a manageable, step-by-step path. This roadmap lays out that path — with honest timelines — so you always know what to learn next, and why.

The roadmap at a glance

Six stages take you from complete beginner toward job-ready. They overlap somewhat (you keep practising in labs throughout), but the order matters: each stage makes the next one make sense.

#	Stage	Focus	Rough time
1	IT, networking & OS fundamentals	How systems & networks work — IP, ports, TCP/IP, DNS, protocols; Windows & Linux basics	~2–3 months
2	Linux & the command line	Linux file system, permissions, packages & terminal fluency	~1–2 months
3	Security principles & threats	CIA triad, attack types, defence, cryptography basics, frameworks	~1–2 months
4	Hands-on labs (home lab)	Safe, legal practice — VMs, vulnerable machines, TryHackMe/HTB, CTFs	Ongoing
5	Choose a path	Defensive (SOC) vs offensive (pen-test); also cloud, GRC	Decide by ~month 6
6	Certifications	Security+ → CEH → (later) OSCP — plus a portfolio	Layered on

The golden rule, repeated by almost everyone who’s done it: don’t skip the fundamentals to rush into tools. Tools are easy to learn once you understand the networking and security concepts underneath; without that, you’re memorising commands you can’t reason about.

Related resources

GuideOur cyber security course (hub)

GuideHow to become a cyber security analyst

GuideCyber security skills required

Guide

Frequently Asked Questions

Learn in order: IT and networking fundamentals, operating systems and Linux, security principles and common threats, then practise in hands-on labs, choose a defensive or offensive direction, and layer on certifications like Security+, CEH or OSCP. Build fundamentals before tools — they outlast any single technology.

Stage 4: hands-on labs (home lab)

Practise legally and safely. Build a home lab using virtual machines on your own computer — for example a Kali Linux VM plus intentionally vulnerable targets like DVWA or Metasploitable — and use purpose-built, authorized platforms (TryHackMe, Hack The Box, PortSwigger’s Web Security Academy, OverTheWire). Never test systems you don’t own or aren’t authorized to test.

Reading about security and doing security are very different things, and this is the stage that builds real skill. In your safe, isolated lab and on authorized platforms, apply what you’ve learned: practise the concepts, take on capture-the-flag (CTF) challenges, and document your work in write-ups. That hands-on practice — and the portfolio of write-ups it produces — is exactly what employers and practical certifications value, and it builds confidence far faster than theory. This isn’t a one-off stage; you keep practising throughout the rest of the roadmap.

Practice (legal, authorized)	TryHackMe, Hack The Box, PortSwigger Web Security Academy, OverTheWire
Free learning	Professor Messer (Security+/Network+), Cybrary, NPTEL, OWASP, MITRE ATT&CK, NIST
Vulnerable lab targets	DVWA, Metasploitable & similar — run inside your own VMs only

Stage 5: choose a path (defensive vs offensive)

Cyber security is too broad to master all at once, so after building your foundation — typically around the six-month mark — pick a direction and go deeper. The main choice is defensive vs offensive, though cloud security and GRC are strong options too.

Path	What it involves	Honest note
Defensive (Blue team)	Monitoring, detection & response (SOC), incident response, forensics	Easiest entry; biggest hiring area; SOC Analyst L1 is the common first role
Offensive (Red team)	Authorized penetration testing & ethical hacking	Fewer junior roles; harder to break into; usually needs more hands-on proof
Cloud / GRC	Cloud security; or governance, risk & compliance	Growing; GRC is a faster non-tech-heavy entry; cloud pays well

For most beginners, a defensive (SOC) role is the realistic first job, because that’s where the most entry-level openings are; offensive roles are fewer and harder to land at junior level. Choose based on what genuinely interests you — you’ll learn faster — and remember the fundamentals let you switch paths later.

Stage 6: certifications (Security+, CEH, OSCP)

Certifications validate your knowledge and help with hiring — but skills matter more than certificates, so layer them onto real ability rather than collecting them. The common, honest ladder:

Certification	Where it fits	Issued by
CompTIA Security+	Foundational, vendor-neutral — a strong first cert	CompTIA — cheapest entry
CEH	Ethical-hacking path; widely recognised in India	EC-Council — premium-priced
OSCP	Advanced, hands-on (later, after experience)	Offensive Security

Start with CompTIA Security+ (foundational, affordable), add CEH if you’re heading toward ethical hacking, and treat OSCP as a later, advanced goal after you’ve built experience. Remember these are issued by their respective bodies (CompTIA, EC-Council, Offensive Security), not by any training institute — a course or self-study prepares you; you sit the exam with the body. One solid foundation cert plus a real portfolio beats a stack of certificates with no hands-on proof.

How long each stage takes (honest)

Honest estimates, not promises — your pace depends on your starting point and study time. Be sceptical of anyone claiming you can become job-ready in weeks. [verify – indicative, mid-2026]

Phase	Rough time	What happens
Foundations (Stages 1–3)	~3–5 months	Networking, Linux, OS & security principles
Hands-on + specialise (Stage 4–5)	~3–4 months	Labs, CTFs, choose a path, deepen skills
Cert + portfolio + apply (Stage 6)	~2–4 months	First cert, portfolio, start applying
Total (from scratch)	~12–18 months	Less (6–12) with an IT/coding background

The headline: from a standing start, realistically about 12–18 months of consistent effort to be job-ready for an entry role — roughly 6–12 months if you already have an IT, networking or coding background. Studying part-time around work or college stretches this, which is normal. Consistency and hands-on practice are what move you along; there is no genuine 30-day shortcut.

Cyber Security Roadmap 2026 (Step by Step) | Course Unbox | Course Unbox

Cyber Security Roadmap (2026): A Step-by-Step Path

Cybersecurity Course

What cyber security is

The roadmap at a glance

Related resources

Ready to take the next step?

Frequently Asked Questions

Stage 1: IT, networking & OS fundamentals

Stage 2: Linux & the command line

Stage 3: security principles & threats

Stage 4: hands-on labs (home lab)

Stage 5: choose a path (defensive vs offensive)

Stage 6: certifications (Security+, CEH, OSCP)

How long each stage takes (honest)

Do you need coding?

Common roadmap mistakes

Where a course fits